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A1 Audit Information 


In the event of any questions arising from this report please contact Peter Cudlip, Partner 
(peter.cudlip@mazars.co.uk) or Darren Jones, Manager (darren.jones@mazars.co.uk). 


Disclaimer 


This report (“Report”) was prepared by Mazars LLP at the request of the Information Commissioners Office and terms for the 
preparation and scope of the Report have been agreed with them. The matters raised in this Report are only those which came to 
our attention during our work. Whilst every care has been taken to ensure that the information provided in this Report is as accurate 
as possible, We have only been able to base findings on the information and documentation provided and consequently no complete 
guarantee can be given that this Report is necessarily a comprehensive statement of all the weaknesses that exist, or of all the 
improvements that may be required. 


The Report was prepared solely for the use and benefit of the Information Commissioners Office and to the fullest extent permitted 
by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports to use or rely for any reason 
whatsoever on the Report, its contents, conclusions, any extract, reinterpretation, anendment and/or modification. Accordingly, any 
reliance placed on the Report, its contents, conclusions, any extract, reinterpretation, amendment and/or modification by any third 
party is entirely at their own risk. Please refer to the Statement of Responsibility in Appendix A1 of this report for further information 
about responsibilities, limitations and confidentiality. 
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01 Introduction 


As part of the agreed Internal Audit Plan for 2020/21, we have undertaken 
a review of the Information Commissioner's Office (ICO) methodology of the 
business planning arrangements. We have reviewed key controls to assess 
whether management arrangements and processes are designed and 
operating effectively. This included risks in the following areas: 


Business Planning Framework; 
Information Rights Strategic Plan; 
Risk and Opportunity; 
Assumptions; 

Performance Measures; 
Capacity and Capability; and, 
Budget Capability. 


Full details of the risks covered are included in Appendix A1. 


We are grateful to the Director of Corporate Affairs & Governance, the 
Head of Risk and Governance, the Director of Resources and other staff 
for their assistance during the audit. 


The fieldwork for this audit was completed whilst government measures 
were in place in response to the coronavirus pandemic (Covid-19). Whilst 
we completed this audit remotely, we have been able to obtain all relevant 
documentation and/or review evidence via screen sharing functionality to 
enable us to complete the work. 


Due to the ICO’s response to the impact of Covid-19 and development of 
new priorities, the 2020-21 business planning process was not finalised. 
Therefore, our review does not provide assurance of the ICO’s 2020/21 
business plans. Our review has focussed on the ICO’s methodology in place 
to develop the business plans across the organisation. 


02 Background 


Business planning is an integral part of an organisation’s internal control 
mechanisms. It is imperative that organisations have effective monitoring of 
their strategic and operational objectives, aims and projects, with robust 


scrutiny of their financial position and performance, and regular reporting to 
management and Board. 


The ICO review and update their business plans for each directorate across 
the organisation, on an annual basis. For the year 2020-21, ICO have 
developed a new business planning framework, which was rolled out to key 
staff (Directors) in October 2019 in preparation for March 2020 approval 
ahead of the financial year. The planning process is facilitated by the Risk 
and Governance Team, but ownership of development and approval of 
business plans sits with the Heads of Service and Directors for each 
directorate across the ICO (15 in total). 


The new business planning framework also incorporates how each 
directorate should consider what desired projects they wish to delivery as 
part of the forthcoming years’ objectives and aims. Each directorate and 
accompanying business plan must complete a business case for separate 
projects that require additional budget and resource. 


Due to the unforeseen circumstances of Covid-19, with business disruption 
occurring in late February and early March 2020, the ICO were unable to 
successfully finalise any business plans for the 2020-21 financial year. 
However, in May 2020, the |CO’s Management Board had re-prioritised the 
business to focus on a narrower set of objectives to help increase impact to 
continue to provide the advice to businesses, Government and the public 
as a regulator aiding business recovery. 


The re-prioritisation, following agreement through the Executive Team (ET) 
and Senior Leadership Team (SLT), in response to business interruption, 
focused on responding to three regulatory areas where poor information 
rights can cause the greatest harms: 


= Public harms, 
= Data sharing harms; and, 
= Intrusive and disruptive technology. 


Whilst the Covid-19 pandemic still exists, the business planning framework 
moving forward will remain, supporting the Information Rights Strategic Plan 
(IRSP) but also the new priorities to focus on the harms outlined above. 


Our review has not taken into consideration the planning processes of the 
new priorities and is limited to the new framework arrangements up to the 
end of February 2020. 
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03 Key Findings 


Assurance on effectiveness of internal controls 


Adequate Assurance 


atclikedarl(=) 


For the internal audit work carried out (please see Appendix A1 for the 
detailed scope and definitions of the assurance ratings), we have provided 
adequate assurance. 


Our work has indicated that there are some risks that hinder the adequacy 
and effectiveness of the new business planning framework. This includes the 
need to improve issues across the following areas: 


The identification of business plan risks and development of supporting 
mitigating controls; 


Collaborative development of business plans alongside the annual 
financial budget; 


The identification of business plan assumptions and provision of 
supporting rationale behind the assumptions made; 


Identification of objective performance measures; and 


The formalising and consideration of training of the new framework to 
ensure consistent and effective operation of planning for the future. 


More details in respect to the recommendations raised in relation to the 
above are detailed in Section 04. 


Priority Recommendations 


1. (Fundamental) - 


2. (Significant) 5 


3. (Housekeeping) - 


TOTAL 5 
Examples of areas where controls are operating effectively 


= The ICO’s newly developed business planning process was 
communicated to all key staff (Directors) via email in October 2019 to 
prepare for the financial year 2020-21 ahead of March 2020 year-end. 


= We were provided a copy of the email, and we were able to confirm 
that the new processes had been clearly outlined, with planning and 
business case templates attached to support the new process for 
consistency. We were also able to confirm that roles, responsibilities 
and expected timescales had been clearly set out in relation to 
preparedness for approval ahead of the new financial year. 


= The ICO’s template business planning workbook requires all 
directorate business plans to reference the link between the 
directorate plans, objectives and aims and the Information Rights 
Strategic Plan (IRSP). 


= We sample tested eight of the ICO’s directorate business plans and 
confirmed that each were able to demonstrate that the respective 
business plan objectives and aims could be traced to the IRSP, with 
specific reference outlined. 


= We further tested the same eight business plans and confirmed that 
the plans demonstrated a link to the ICO’s corporate risks. 
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Risk Management 


Our review of the ICO’s Risk and Opportunity Register identified that ICO 
have not established a specific business planning risk. However, this is in- 
line with expectations from similar organisations. Our review did, however, 
confirm that the ICO use business planning as a mitigating control for a 
number of risks. 


Based on the sample testing of business plans, we identified that ICO were 
able to demonstrate that corporate risks are considered when developing 
directorate plans. The plans tested referenced specific corporate risks from 
the risk and opportunity register. However, we identified the following issues: 


= Three business plans had failed to populate the required 
business planning risks required, therefore had not appropriately 
identified plan specific risks and supporting mitigating actions, 
and; 


= Three additional business plans had identified plan specific risks 
yet had failed to provide any mitigating actions to support the 
risks identified. 


The ICO therefore have room for improvement when considering and 
managing risks as part of business planning. We have raised a 
recommendation in respect of this weakness in Section 04, 4.2. 


We noted that Covid-19 has had a significant impact on the business 
planning process and ICO have been unable to finalise business plans for 
2020/21. Whilst we have not provided assurance on business plans, it will 
be important that the ICO engage early with business leaders across the 
organisation to ensure business plans can be put in place for the start of 
2021/22. 


Value for Money 


At the ICO, the financial planning processes are manual, and require a 
number of staff resource to plan accordingly across each of the 15 
directorates. On top of this, resource is required from the Risk and 
Governance Team to facilitate and quality review business plans ahead of 
the respective financial year. We have seen at peers that online planning 
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tools are available when developing business plans, however a cost versus 


benefit analysis and value for Monday exercise would need to be performed 
if ICO were to consider such a planning system. 


In-line with recommendation 4.1, below, the ICO should also consider 
whether the development of training to support the business planning 
framework, will achieve value for money. For instance, does the Risk and 
Governance Team have the resource and do each of the Directors 
responsible for business planning in their directorate have sufficient capacity 
to be able to benefit from training and regular support. 


Sector Comparison 


The Business Planning process is a critical area for all organisations and 
therefore it is imperative that adequate and effective controls are in place to 
ensure that directorate business plans are robust. A strong business plan 
(plans in the ICO’s case) helps to ensure continuity and provide a foundation 
to achieve long term objectives. 


Robust financial planning includes a clear link between financial and 
strategic planning and the setting and monitoring of critical success factors. 
This is to ensure that the strategic aims and objectives of the organisation 
can be supported and made achievable by the finances available, the 
financial controls operated, and that timely action can be taken as needed. 
Our review identified a key weakness in the ICO’s processes, in that 
directorate business plans do not appropriately link to financial planning for 
the year. We have therefore raised a recommendation in this area in Section 
04, 4.4. 


It is best practice for organisations to undertake detailed scenario planning 
or stress testing as part of their planning processes, to demonstrate the 
stability of medium to long-term objectives of the organisation in the event of 
changes to their operating environments. At the ICO scenario planning and 
stress testing is not necessarily something that will benefit business planning 
arrangements. However, the ICO may wish to consider stress testing 
business plan assumptions that are made as part of business delivery. Whilst 
it is unlikely to have any material financial impact, assumptions made in 
business plans may lead to failure to meet strategic objectives or aims. This 
will be particularly important with the ICO having recently developed new 
priorities to address the potential harms from Covid-19. 
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04 Areas for Further Improvement and Action 


Definitions for the levels of recommendations used within our reports are included in Appendix A1. 


We identified a number of areas where there is scope for improvement in the control environment. The matters arising have been discussed with management, to 
whom we have made recommendations. The recommendations are detailed in the management action plan below. 


Observation/Risk 


Business planning 


Observation: The ICO's_ business planning 
arrangements and business planning framework 
does not take into consideration the financial capacity 
to be able to deliver the business objectives and aims. 
The ICO's business planning framework incorporates 
what desired projects are to be delivered as part of 
each directorate's business plan. 


Our review identified that the actual budget 
availability for business projects, which form part of 
business planning arrangements was not confirmed 
until 24 February 2020 (£2,246,000) which would 
have significantly impacted business plans drafted, 
should planning not been interrupted by Covid-19. 


Additionally, when reviewing the eight business plans 
sample tested, we identified that two plans had not 
populated the staffing costs associated with the 
respective annual business plan, meaning we were 
unable to provide assurance of whether capacity and 
capability had been considered to deliver the 
business plan. 


Risk: Business planning arrangements do not take 
into account the ICOs annual budget availability. 
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Recommendation 


The ICO should ensure that the 
business planning and annual 
financial planning arrangements 
are run in conjunction with each 
other, enabling directorates to 


appropriately plan for projects with 
budget capacity. 


The ICO should also ensure that 
business plans appropriately 
consider capacity and capability 
when populating the template 
plans. This should include both 
approved projects and staff costs 
assigned to business as usual. 


September 2020 


Priority 


Management Response 


The business planning 
process for 20/21 was run 
alongside the budgeting 
process as Finance held the 
budget meetings at the same 
time as Directors were forming 
their business plans, we 
accept however that this could 
be clearer when considering 
capacity and capability as the 
budget section of the business 
plans would not have been 
populated until after the 
budgets had been approved 
and allocated. 


For 21/22 in conjunction with 
finance we will ensure that 
plans take account of capacity 
so staffing levels and budgets 
are planned alongside activity, 
we will include draft budgets 
which will be approved as the 
business plans and the budget 
go through the approval 
process. 


Timescale/ 
responsibility 


Joanne Butler 
March 2021 
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Observation/Risk 


Business Planning Framework 


Observation: The ICO established a new business 
planning framework for the financial year 2020-21, 
however this was not formally documented, rather 
had been communicated to key staff via email. 


We were provided a copy of the email from late 
October 2019, that confirmed the new processes had 
been outlined, with planning and business case 
templates attached to support the new process and 
consistency, along with expected timescales to 
finalisation at year-end. We identified that six 
business plans had not been populated at all from the 
15 directorates across the ICO and the remaining 
plans had not been formally reviewed or signed off as 
at the planned February 2020 SLT meeting. 


We further reviewed the business planning template 
established to support the new framework, confirming 
that the template outlined the keys aspects we would 
expect to see as part of annual business plans: 
business risks; objectives and aims, performance 


measures and staff costs. However, as will be 
identified in more detail in the following 
recommendations, we identified significant issues in 
completion when developing business plans. This 
highlights a training need across ICO. 
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Recommendation 


The ICO should formally document 
the new business planning 
framework and ensure that 
planning arrangements commence 
and are completed in a timely 
manner, such that plans are 
approved and agreed prior to the 
new financial year. 


Whilst we understand resource 
may not be wholly available, the 
ICO should also consider providing 
formal training to support the 
business planning framework to 
ensure that the new arrangements 
are consistently applied. 


September 2020 


Priority 


Management Response 


We will ensure that the 
business planning process 
links up WFD to ensure that 
capability and training and 
development is also 
considered and fed into the 
WFD plan. 


We will formally document the 
business planning framework 
during 21/22. We will provide 
training on the formalised 
process, once this has been 
approved by SLT to improve 
and strengthen the plans 
during the year (as business 
plans are living documents) 
and for 22/23. 


Timescale/ 
responsibility 


Joanne Butler 


December 
2021 
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Observation/Risk 


Risk: The ICOs recently developed planning 
framework and arrangements have not been formally 
documented, leading to business plans not being 
agreed and authorised prior to the start of the year. 


Business Planning Risks 


Observation: Following our sample review of the eight 
business plans, we identified the following issues in 
relation to plan risks: 


= Three business plans had failed to populate 
the required business planning risks 
required, therefore had not appropriately 
identified plan specific risks and supporting 
mitigating actions. These three plans had, 
however, outlined how the business plan 
links to corporate risks. 


Three additional business plans had 
identified plan specific risks yet had failed to 
provide any mitigating actions to support the 
risks identified. 


Risk: When developing business plans, risks are not 
identified and mitigated with supporting controls/ 
actions. 


Business Planning Assumptions 


Observation: The ICO's new template workbook 
requires that all business plans are to separate out 
objectives into more detail, such that in the detail 
assumptions are highlighted and clear, so that when 


Recommendation 


The ICO should ensure that all 
business plans appropriately 
address risk and opportunity, per 
the corporate risk register, and 
identify risks related to the business 
plan, with mitigating controls or 
actions to support. 


The ICO should ensure that all 
business plans appropriately 
outline where objective and 
planning assumptions have been 


Priority 
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Management Response 


As the business planning 
process halted due to covid the 
versions sampled were still 
draft. For 21/22 the business 
plan process will include 
ongoing quality assurance to 
ensure that the business plans 
adequately address risk. 


As the business planning 
process halted due to covid the 
versions sampled were still 
draft. For 21/22 the business 


Timescale/ 
responsibility 


March 21 and 
21/22 ongoing 


Joanne Butler 


March 21 and 
21/22 ongoing 


Joanne Butler 


Page 8 


Observation/Risk 


the plans are approved, assumptions can be referred 
and reviewed appropriately. 


Following review of the eight sampled business plans, 
we identified that three of the eight did not clearly 
outline what assumptions had been made for the 
objectives outlined. 


Risk: The ICO do not identify and clearly set out what 
assumptions have been made in plans, leading to 
approval of unsuitable business objectives. 


Performance Measures 


Observation: The ICO's new template workbook 
requires that all business plans are to separate out 
planned objectives such that detailed performance 


measures are established for each respective 
objective. The performance measures are also 
recorded in business plans to ensure that regular 
monitoring of plans outlines underperformance. 


Our review of the eight sampled business plans 
identified that three plans had not developed 
performance measures to support each objective. 
Without performance measures, the objectives failed 
to identify responsible persons and timescale for 
delivery, along with frequency of review. 

Risk: Business planning arrangements do not take 
into consideration how objectives and aims will be 
measured 
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Recommendation 


made. Assumptions should be 
clearly outlined to provide 
appropriate scrutiny and review 
prior to approval and throughout the 
financial year in context of objective 
achievement. 


The ICO should ensure that all 
future business plans establish 
performance measures to support 
objectives and aims where possible. 
Performance measures should be 
clear and outline responsible 
persons, timescales for delivery and 
details of how frequent the measure 
will be reviewed. 


September 2020 


Priority 


Management Response 


plan process will include 
ongoing quality assurance to 
ensure that the business plans 
adequately address 
objectives. 


As the business planning 
process halted due to covid the 
versions sampled were still 
draft. For 21/22 the business 
plan process will include 
ongoing quality assurance to 
ensure that the business 
planning arrangements 
adequately address 
performance measures. 


Timescale/ 
responsibility 


March 21 and 
ongoing during 
21/22 


Joanne Butler 
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A1 Audit Information 


Review Control Schedule 


Client contacts: Louise Byers, Director of Corporate 


Affairs & Governance 

Joanne Butler, Head of Risk and 
Governance 

Andrew Hubert, Director of 
Resources 


Internal Audit Team: Peter Cudlip, Partner 
Darren Jones, Manager 


Chris Hogan, Senior Auditor 


Exit Meeting/ last information 


received: 15 September 2020 
Draft report issued: 5 October 2020 
Management responses: 22 October 2020 
Final report issued: 23 October 2020 


Scope and Objectives 


Audit objective: to provide assurance over the design and effectiveness of 
the key controls operating in relation to methodology of business planning. 


Our audit considered the following risks relating to the area under review: 


= Business Planning Framework — The ICO’s recently developed 
planning framework and arrangements have not been formally 
documented or communicated to all key stakeholders, leading to 
an inconsistent planning approach. 


= Information Rights Strategic Plan -— Business planning 
arrangements do not take into consideration the Information Rights 
Strategic Plan and the six strategic goals, nor any longer-term 
strategic plans. 


= Risk and Opportunity — When developing business plans the ICO 
do not consider related risks and opportunities and how Directorate 
plans will achieve and mitigate each, respectively. 


= Assumptions — The ICO do not identify and clearly set out what 
assumptions have been made when during the business planning 
processes. 


Assumptions are not appropriately reviewed and approved 


= Performance Measures — Business planning arrangements do 
not take into consideration how objectives and aims will be 
measured. 


= Capacity and Capability — The ICO do not have the appropriate 
capacity and capability to achieve Directorate Business Plans and 
objectives 


Specific plans and outcomes are not assigned a responsible owner 


Collaboration outside of Directorates are not considered to ensure 
that business plans can be delivered 


= Budget Capacity — Business planning arrangements do not take 
into account the ICOs annual budget availability, resulting in plans 
not being achievable 


The desired outcomes within business plans are not consistent 
with the ICO’s wider financial planning arrangements 


The scope for the audit is concerned with assessing whether the ICO has 
in place adequate and appropriate policies, procedures and controls to 
manage the above risks. We will review the design of controls in place and, 
where appropriate, undertake audit testing of these to confirm compliance 
with controls, with a view to forming an opinion on the design of, compliance 
with and effectiveness of internal controls. 


Testing will be performed on a sample basis, and as a result our work does 
not provide absolute assurance that material error, loss or fraud does not 
exist. 
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Substantial 
Assurance: 


Adequate 
Assurance: 


Limited 
Assurance: 


Definitions of Assurance Levels 


Our audit finds no significant weaknesses and we feel 
that overall risks are being effectively managed. The 
issues raised tend to be minor issues or areas for 
improvement within an adequate control framework. 


There is generally a sound control framework in place, 
but there are significant issues of compliance or 
efficiency or some specific gaps in the control 
framework which need to be addressed. Adequate 
assurance indicates that despite this, there is no 
indication that risks are crystallising at present. 


Weaknesses in the system and/or application of 
controls are such that the system objectives are put at 
risk. Significant improvements are required to the 
control environment. 


Definitions of Recommendations 


Priority 


Priority 1 
(Fundamental) 


Description 


Recommendations represent fundamental control 
weaknesses, which expose the organisation to a high 
degree of unnecessary risk. 


Priority 2 Recommendations represent significant control 

(Significant) weaknesses which expose the organisation to a 
moderate degree of unnecessary risk. 

Priority 3 Recommendations show areas where we have 

(Housekeeping) highlighted opportunities to implement a good or 


better practice, to improve efficiency or further reduce 
exposure to risk. 
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Statement of Responsibility 


We take responsibility to the Information Commissioner's Office (ICO) for 
this report which is prepared on the basis of the limitations set out below. 


The responsibility for designing and maintaining a sound system of internal 
control and the prevention and detection of fraud and other irregularities 
rests with management, with internal audit providing a service to 
management to enable them to achieve this objective. Specifically, we 
assess the adequacy and effectiveness of the system of internal control 
arrangements implemented by management and perform sample testing on 
those controls in the period under review with a view to providing an opinion 
on the extent to which risks in this area are managed. 


We plan our work in order to ensure that we have a reasonable expectation 
of detecting significant control weaknesses. However, our procedures 
alone should not be relied upon to identify all strengths and weaknesses in 
internal controls, nor relied upon to identify any circumstances of fraud or 
irregularity. Even sound systems of internal control can only provide 
reasonable and not absolute assurance and may not be proof against 
collusive fraud. 


The matters raised in this report are only those which came to our attention 
during the course of our work and are not necessarily a comprehensive 
statement of all the weaknesses that exist or all improvements that might 
be made. Recommendations for improvements should be assessed by you 
for their full impact before they are implemented. The performance of our 
work is not and should not be taken as a substitute for managements 
responsibilities for the application of sound management practices. 


This report is confidential and must not be disclosed to any third party or 
reproduced in whole or in part without our prior written consent. To the 
fullest extent permitted by law Mazars LLP accepts no responsibility and 
disclaims all liability to any third party who purports to use or rely for any 
reason whatsoever on the Report, its contents, conclusions, any extract, 
reinterpretation amendment and/or modification by any third party is entirely 
at their own risk. 

Registered office: Tower Bridge House, St Katharine’s Way, London EiW 1DD, 
United Kingdom. Registered in England and Wales No 0C308299. 
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